JP7322619B2 - COMPUTER SYSTEM, LOGIN SCREEN DISPLAY METHOD, PROGRAM - Google Patents

Description

The present invention relates to a computer system, a login screen display method, and a program.

2. Description of the Related Art An information processing system is known that provides software or the like to users via a network. A user can use the services provided by the information processing system from the client terminal by preparing a certain environment such as a client terminal such as a PC (personal computer), a web browser running on it, and an Internet connection environment. can.

In some cases, an organization such as a company contracts for a service provided by such an information processing system, and a member of the organization uses the service as a user. Organizations that have contracted for information processing system services are managed in units called tenants. A user logs into the information processing system in order to use the services permitted by the tenant.

A technology is known that simplifies a user's login operation in consideration of the user's convenience (see, for example, Patent Document 1). Japanese Patent Laid-Open No. 2002-200000 discloses a login method that enables login by simply entering a password after selecting oneself from a user list when an e-mail address and a password are normally entered.

However, in the conventional technology, when an information processing system prepares a plurality of login methods, there is a problem that an appropriate login screen cannot be displayed unless a user is identified once each login.

SUMMARY OF THE INVENTION An object of the present invention is to provide a computer system capable of displaying an appropriate login screen without specifying a user.

In view of the above problems, the present invention provides a computer system having an information processing system that authenticates a user by one of a plurality of login methods, and a terminal device that requests the information processing system to authenticate the user, wherein the terminal The apparatus includes a processing control unit that determines a login method according to a login method used in the past , stores the login method used in the past in an information storage unit, and a login method determined by the processing control unit. and a display control unit that displays a corresponding login screen, wherein the terminal device receives screen information of login screens corresponding to one or more login methods permitted by a tenant to which the user belongs from the information processing system. When the acquired login method used in the past is not stored in the information storage unit, the display control unit displays a login screen corresponding to the login method acquired from the information processing system. .

It is possible to provide a computer system that can display an appropriate login screen without specifying a user.

FIG. 2 is a diagram for explaining an outline of processing for a user to log in to a computer system; FIG. 1 is a configuration diagram of an example of a computer system; FIG. 1 is a hardware configuration diagram of an example of a computer; FIG. 1 is a hardware configuration diagram of an example of an image forming apparatus; FIG. It is an example of the functional block diagram which divides into block form and demonstrates the function of a 1st terminal device, a 2nd terminal device, an electronic device, and an information processing system. FIG. 10 is a diagram showing an example of a login method setting screen displayed by a second terminal device operated by an administrator; FIG. 10 is an example of a sequence diagram showing a procedure for a user to operate the first terminal device to display a login screen (No. 1); FIG. 10 is an example of a sequence diagram showing a procedure for a user to operate the first terminal device to display a login screen (No. 2); It is a figure which shows an example of an e-mail address input screen. It is a figure which shows an example of login screen A1. It is a figure which shows an example of login screen B1. It is a figure which shows an example of the login screen C1. It is a figure which shows an example of the login screen D1. It is a figure which shows an example of login screen A2. It is a figure which shows an example of login screen B2. It is a figure which shows an example of the login screen C2. FIG. 10 is a diagram showing an example of a login screen F displayed when a plurality of login methods are permitted; FIG. 10 is an example of a sequence diagram illustrating login processing corresponding to each login method (No. 1); FIG. 10 is an example of a sequence diagram illustrating login processing corresponding to each login method (No. 2); It is a figure which shows an example of a top screen. FIG. 10 is an example of a sequence diagram showing processing executed by the first terminal device and the information processing system when a “confirm another login method button” is pressed; FIG. 10 is an example of a sequence diagram in which the information processing system causes the user to log out when the login method used by the user is not permitted by the tenant's login settings, and to log in using the login method permitted by the tenant (No. 1). FIG. 10 is an example of a sequence diagram of an information processing system that causes a user to log out when the login method used by the user is not permitted by the tenant's login settings, and to log in using the login method permitted by the tenant (No. 2). FIG. 10 is a diagram showing an example of a logout screen; FIG. 11 is an example of a sequence diagram in which the first terminal device changes the login screen displayed according to the tenant's login settings and the user's role (No. 1); FIG. 11 is an example of a sequence diagram in which the first terminal device changes the login screen displayed according to the tenant's login settings and the user's role (No. 2); FIG. 11 is a diagram showing an example of a login screen E1; FIG. FIG. 10 is an example of a sequence diagram showing processing executed by the second terminal device and the information processing system when a “confirm another login method button” is pressed; FIG. 11 is an example of a sequence diagram illustrating a process of saving all login methods by the second terminal device when the logged-in user is an administrator (No. 1); FIG. 10 is an example of a sequence diagram illustrating a process of saving all login methods by the second terminal device when the logged-in user is an administrator (No. 2); If the login method stored in the browser information memory is used to log in, but the user logs in using a login method that is not permitted by the tenant login settings, the account information required by the login method permitted by the tenant login settings is an example of a sequence diagram in which the user replenishes (No. 1). If the login method stored in the browser information memory is used to log in, but the user logs in using a login method that is not permitted by the tenant login settings, the account information required by the login method permitted by the tenant login settings is an example of a sequence diagram in which the user replenishes (No. 2). It is a figure which shows an example of a password setting screen. It is a figure which shows an example of an external service authentication cooperation screen.

A computer system and a login screen display method performed by the computer system will be described below as an example of a mode for carrying out the present invention.

<Overview of operation>
In the present embodiment, a service provided by an information processing system is assumed to be contracted by an organization such as a company, and a person who belongs to the organization uses the service as a user. Organizations that have contracted for services are managed in units called tenants. Service users are employees of companies, etc., and each user belongs to one or more tenants. A user who can execute a contracted service is set by, for example, an administrator, and the service that the user can use is determined according to the user. When a user logs into the information processing system, a portal screen including a list of services available to the user is displayed on the user's terminal device. The service is provided as a web application, and the icon of the application corresponding to the service is displayed on the portal screen.

For example, the service processes slips that are processed according to a fixed procedure, and can reduce the user's workload. Workflow refers to automatically executing one or more processes on electronic data in a predetermined order. In this way, when a user logs in, a portal screen for the user's work is displayed, so the service provided by the information processing system is sometimes called a workplace.

First, the outline of the operation performed by the computer system will be described with reference to FIG. FIG. 1 is a diagram for explaining an outline of a process for a user to log in to the computer system 1. As shown in FIG.
(1) A user logs into the information processing system 50 using the first terminal device 20 . When logging in for the first time, the user enters account information on the login screen corresponding to the login method permitted by the tenant.
(2) If the authentication is successful, the first terminal device 20 saves the login method used by the user. An example of a login method is as follows.
(A) Email address and password (B) Tenant ID, user ID and password (C) Use external service (D) All
(3) When the user logs into the information processing system 50 from the next time onwards, the first terminal device 20 displays a login screen corresponding to the saved login method.

Therefore, once the login method is saved, the login screen corresponding to the login method permitted by this tenant can be displayed on the first The terminal device 20 can display. For example, if the user has logged in using the login method of "(C) Use an external service", the external service 70 does not require an email address for authentication (the login screen corresponding to the login method using an external service does not require an email address). address is not required), and the information processing system 50 can reduce the need to request the user to enter an unnecessary e-mail address.

<Terms>
A tenant is a customer who shares the same software among multiple customers. A person who has the right to use multiple software instances in the system.

The information processing system 50 is one or more information processing devices. This information processing device is sometimes called a server. The information processing device is mainly placed on the Internet, but may be placed on a local network (inside the firewall) such as inside the company. One or more information processing devices may be referred to as a cloud system. A cloud system is a system that uses cloud computing, and cloud computing is a form of usage in which resources on a network are used without being conscious of specific hardware resources. In general, a cloud system sometimes indicates an information processing system arranged on the Internet, but it is often arranged in a local network.

<System configuration example>
FIG. 2 is a configuration diagram of an example of the computer system 1 according to this embodiment. In the computer system 1 of FIG. 2, a customer environment 8 is connected to an information processing system 50 via a network N1 such as the Internet. The network N1 also includes a telephone line such as a mobile telephone network.

A customer is a customer of the service provided by the information processing system 50, and includes organizations such as companies, groups, educational institutions, administrative agencies, and departments. Those who have some kind of employment relationship with these customers are called users. Users include general users and administrators. One or more electronic devices 10, a first terminal device 20, a second terminal device 30, and a firewall 7 are connected to the customer environment 8 via a network N2 such as a LAN. The information processing system 50 also includes one or more information processing devices connected to the network N1.

The electronic device 10 is, for example, an image forming apparatus 10a, and the image forming apparatus 10a includes laser printers, multi-function printers, MFPs (Multi-function Peripheral/Product/Printer), and the like. Further, the electronic device 10 also includes an electronic blackboard 10b. In addition, the electronic device 10 includes, for example, a PJ (Projector: projector), an output device such as a digital signage, a HUD (Head Up Display) device, an industrial machine, an imaging device, a sound collector, a medical device, a network appliance, an automobile ( connected car), notebook PC, mobile phone, smart phone, tablet terminal, game machine, PDA (Personal Digital Assistant), digital camera, wearable PC, desktop PC, or the like.

The electronic device 10 of the present embodiment is a terminal for users registered in the information processing system 50 to use services. A user logs into the information processing system 50 from the electronic device 10 , selects an application (application software) for which the user is authorized to use, and receives services provided by the information processing system 50 . In this way, services are provided on an app-by-app basis.

The first terminal device 20 is an information processing device such as a smart phone, a mobile phone, a tablet PC, a desktop PC, or a notebook PC used by general users. A program having a screen display function such as a web browser is installed in the first terminal device 20 . This program is not limited to a web browser as long as it has a function of displaying screen information received from the information processing system 50 as a screen. A program dedicated to the information processing system 50 may be used.

The second terminal device 30 is an information processing device such as a smart phone, a mobile phone, a tablet PC, a desktop PC, or a notebook PC used by the administrator. A program having a screen display function such as a web browser is installed in the second terminal device 30 . This program is not limited to a web browser as long as it has a function of displaying screen information received from the information processing system 50 as a screen. A program dedicated to the information processing system 50 may be used.

The firewall 7 is a device for preventing intrusion into the customer environment 8 from the outside, and all communications from the customer environment 8 are monitored by the firewall 7 . However, this is not the case when the first terminal device 20 and the second terminal device 30 communicate with the information processing system 50 via a telephone line such as a mobile phone network.

The information processing system 50 provides various services to the electronic device 10, the second terminal device 30, and the like via the network N1. There are various services depending on the type of the electronic device 10, but in the case of the image forming apparatus 10a, there is a service for uploading and saving the read document to storage on the cloud, and a service for downloading and printing image data from the storage on the cloud. Services include, but are not limited to. In the case of the electronic blackboard 10b, for example, there is a service that recognizes voice in real time to create minutes, a service that converts handwritten data into text, and the like. In the case of the second terminal device 30, for example, there is a real-time translation service for web pages.

In the information processing system 50, tenants and users are associated with each other. A service (application) that can be used by each user is determined, and the user uses the application that he or she can use from the electronic device 10 or the first terminal device 20 . In addition, tenants, administrators and users have the following relationships.
・1 customer → 1 tenant (administrator and user belong to one tenant)
・One customer → multiple tenants (The administrator does not necessarily belong to a tenant, but manages each tenant and the users who belong to it. Users belong to one or more tenants.)
In either case, the user registered in the information processing system 50 belongs to one of the tenants, so if the user is specified after registration, the tenant to which the user belongs will also be specified.

The information processing system 50 creates screen information for a web page to be displayed on the first terminal device 20, the second terminal device 30, or the electronic device 10, and transmits the screen information to them. For example, a login screen or the like, which will be described later, is displayed.

The screen information is created by HTML, XML, CSS (Cascade Style Sheet), JavaScript (registered trademark), and the like. A web page may be served by a web app. A web application is software that runs on a web browser, or its mechanism, that operates through cooperation between a program written in a programming language (such as JavaScript (registered trademark)) that runs on a web browser and a program on the web server side. . A web application can dynamically change a web page.

The external service 70 is one or more information processing devices that mainly provide authentication federation services. For example, it provides authentication federation services such as OAUTH, OAUTH2.0, and OpenID Connect. Federated authentication service is a mechanism that allows users of the service to allow third-party applications to access their data hosted on the service without giving their account information (ID & password). . Office365 (registered trademark), Google (registered trademark), Facebook (registered trademark), etc. are known as authentication cooperation services.

The configuration of the computer system 1 shown in FIG. 2 is an example, and one or more server devices (such as a proxy server or a gateway server) may intervene between the customer environment and the information processing system 50. . Also, the first terminal device 20 and the second terminal device 30 may be located outside the customer environment, and may be connected to the network N1, for example.

The information processing system 50 may be implemented by one information processing device 49 or may be implemented by being distributed among a plurality of information processing devices 49 . For example, there may be an information processing device 49 that provides each service, one information processing device 49 may provide a plurality of services, or a plurality of information processing devices 49 may provide one service. may be provided.

In the computer system 1 of FIG. 2, the information processing system 50 is connected to a network N1 such as the Internet outside the customer environment. In other words, the computer system 1 of FIG. 2 is an example in which the information processing system 50 is provided in a cloud environment. However, the information processing system 50 may be provided inside the customer environment (on-premise environment).

<Hardware configuration example>
<<computer>>
The first terminal device 20, the second terminal device 30, or the information processing device of the information processing system 50 in FIG. 2 is implemented by a computer having the hardware configuration shown in FIG. 3, for example. FIG. 3 is a hardware configuration diagram of an example of a computer. The computer 500 in FIG. 3 is constructed by a computer, and as shown in FIG. interface) 508 , network I/F 509 , bus line 510 , keyboard 511 , pointing device 512 , DVD-RW (Digital Versatile Disk Rewritable) drive 514 and media I/F 516 .

Among these, the CPU 501 controls the operation of the entire computer. The ROM 502 stores programs used to drive the CPU 501 such as IPL. A RAM 503 is used as a work area for the CPU 501 . The HD 504 stores various data such as programs. The HDD controller 505 controls reading or writing of various data to/from the HD 504 under the control of the CPU 501 . A display 506 displays various information such as cursors, menus, windows, characters, or images. The external device connection I/F 508 is an interface for connecting various external devices. The external device in this case is, for example, a USB (Universal Serial Bus) memory, a printer, or the like. A network I/F 509 is an interface for data communication using the communication network 100 . A bus line 510 is an address bus, a data bus, or the like for electrically connecting each component such as the CPU 501 shown in FIG.

Also, the keyboard 511 is a kind of input means having a plurality of keys for inputting characters, numerical values, various instructions, and the like. A pointing device 512 is a kind of input means for selecting and executing various instructions, selecting a processing target, moving a cursor, and the like. A DVD-RW drive 514 controls reading or writing of various data to a DVD-RW 513 as an example of a removable recording medium. It should be noted that not only DVD-RW but also DVD-R or the like may be used. A media I/F 516 controls reading or writing (storage) of data to a recording medium 515 such as a flash memory.

<<Image forming device>>
FIG. 4 is a hardware configuration diagram of an example of the image forming apparatus 10a. As shown in FIG. 4, the image forming apparatus 10a includes a controller 910, a short-range communication circuit 920, an engine control section 930, an operation panel 940, and a network I/F 950.

Among these, the controller 910 includes a CPU 901, a system memory (MEM-P) 902, a north bridge (NB) 903, a south bridge (SB) 904, an ASIC (Application Specific Integrated Circuit) 906, a storage unit, which is the main part of the computer. A local memory (MEM-C) 907 , an HDD controller 908 , and an HD 909 as a storage unit, and the NB 903 and ASIC 906 are connected by an AGP (Accelerated Graphics Port) bus 921 .

Among them, the CPU 901 is a control unit that performs overall control of the image forming apparatus 10a. The NB 903 is a bridge for connecting the CPU 901, the MEM-P 902, the SB 904, and the AGP bus 921, and is a memory controller that controls reading and writing with respect to the MEM-P 902, a PCI (Peripheral Component Interconnect) master, and an AGP target. have

The MEM-P 902 is composed of a ROM 902a, which is a memory for storing programs and data for realizing each function of the controller 910, and a RAM 902b, which is used as a drawing memory for expanding the programs and data and for memory printing. The program stored in the RAM 902b is configured to be provided by being recorded in a computer-readable recording medium such as a CD-ROM, CD-R, DVD, etc. as a file in an installable format or an executable format. You may

SB 904 is a bridge for connecting NB 903 with PCI devices and peripheral devices. The ASIC 906 is an image processing IC (Integrated Circuit) having hardware elements for image processing, and serves as a bridge that connects the AGP bus 921, PCI bus 922, HDD controller 908, and MEM-C 907, respectively. This ASIC 906 includes a PCI target and AGP master, an arbiter (ARB) that forms the core of the ASIC 906, a memory controller that controls the MEM-C 907, and multiple DMACs (Direct Memory Access Controllers) that rotate image data using hardware logic. , and a PCI unit that transfers data between the scanner unit 931 and the printer unit 932 via the PCI bus 922 . Note that the ASIC 906 may be connected to a USB (Universal Serial Bus) interface or an IEEE 1394 (Institute of Electrical and Electronics Engineers 1394) interface.

MEM-C 907 is a local memory used as an image buffer for copying and an encoding buffer. The HD 909 is a storage for accumulating image data, accumulating font data used for printing, and accumulating forms. The HD 909 controls reading or writing of data to or from the HD 909 under the control of the CPU 901 . The AGP bus 921 is a bus interface for graphics accelerator cards proposed to speed up graphics processing, and can speed up the graphics accelerator card by directly accessing the MEM-P 902 with high throughput. .

Also, the near field communication circuit 920 is provided with a near field communication circuit antenna 920a. The short-range communication circuit 920 is a communication circuit for NFC, Bluetooth (registered trademark), or the like.

Furthermore, the engine control section 930 is configured by a scanner section 931 and a printer section 932 . The operation panel 940 displays a current setting value, a selection screen, and the like, and a panel display unit 940a such as a touch panel for receiving input from an operator, and setting values for image forming conditions such as density setting conditions. A hardware key 940b including a numeric keypad for accepting a copy start instruction and a start key for accepting a copy start instruction is provided. The controller 910 controls the entire image forming apparatus 10a, such as drawing, communication, input from the operation panel 940, and the like. The scanner unit 931 or printer unit 932 includes an image processing part such as error diffusion and gamma conversion.

Note that the image forming apparatus 10a can switch and select the document box function, the copy function, the printer function, and the facsimile function in sequence using the application switching key of the operation panel 940. FIG. The document box mode is set when the document box function is selected, the copy mode is set when the copy function is selected, the printer mode is set when the printer function is selected, and the facsimile mode is set when the facsimile mode is selected.

Network I/F 950 is an interface for data communication using communication network 100 . A short-range communication circuit 920 and a network I/F 950 are electrically connected to the ASIC 906 via a PCI bus 922 .

<About functions>
The function of each device included in the information processing system 50 according to this embodiment is realized by, for example, the processing blocks shown in FIG. FIG. 5 is an example of a functional block diagram illustrating the functions of the first terminal device 20, the second terminal device 30, the electronic device 10, and the information processing system 50 by dividing them into blocks.

<<First terminal device>>
The first terminal device 20 has a first communication section 22 , a display control section 23 , an operation reception section 24 and a processing control section 25 . The first terminal device 20 implements functional blocks as shown in FIG. 5 by executing a program (for example, the web browser 21).

The first communication unit 22 communicates with the information processing system 50 to transmit and receive various information for the first terminal device 20 to display an appropriate login screen.

The display control unit 23 analyzes the screen information of the screen received from the information processing system 50 and displays, for example, a login screen on the display 506 . The operation accepting unit 24 accepts a user's operation on the first terminal device 20 (for example, inputting account information to a login screen).

The processing control unit 25 stores the login method used by the user, determines the login screen according to the login method used in the past, and the like. Further, the subsequent processing is controlled depending on whether or not the login method is saved. The processing control unit 25 is implemented by the engine of the web browser 21 executing JavaScript (registered trademark) included in the screen information.

The first terminal device 20 also has a browser information storage unit 26 in which a program (for example, the web browser 21) stores information. The browser information storage unit 26 (an example of the information storage unit) is built in, for example, the HD 504 or the like, and is a non-volatile memory in which information does not disappear even when the web browser 21 is terminated. A function realized by HTML5 called LocalStorage can be used as a storage area in the terminal that can be managed by such a Web browser.

In this embodiment, login methods as shown in Table 1 are stored in the browser information storage unit 26 . The browser information storage unit 26 may be constructed outside the first terminal device 20 (on the network, in a storage medium, etc.).

表１はブラウザ情報記憶部２６に保存されたログイン方法の一例を示す。ログイン方法として上記の（Ａ）～（Ｄ）のログイン方法があり、（Ａ）～（Ｄ）のログイン方法がフラグにより示されている。つまり、処理制御部２５はフラグを読み取ることで、保存されているログイン方法を判断できる。

Table 1 shows an example of login methods stored in the browser information storage unit 26 . There are the above login methods (A) to (D) as login methods, and the login methods (A) to (D) are indicated by flags. That is, the processing control unit 25 can determine the saved login method by reading the flag.

For example, if the flag is "email", the first terminal device 20 displays a login screen corresponding to the login method using the email address and password. When the flag is "userId", the first terminal device 20 displays a login screen corresponding to the login method using the tenant ID/user ID/password. When the flag is "external", the first terminal device 20 displays the login screen corresponding to the login method by the external service. When the flag is "all", the first terminal device 20 displays login screens corresponding to all login methods.

<<second terminal device>>
The second terminal device 30 has a second communication section 32 , a display control section 33 , an operation reception section 34 and a processing control section 35 . The second terminal device 30 implements functional blocks as shown in FIG. 5 by executing a program (for example, the web browser 31).

The second communication unit 32 communicates with the information processing system 50 to transmit and receive various information for the second terminal device 30 to display an appropriate login screen.

The display control unit 33 analyzes the screen information of the screen received from the information processing system 50 and displays, for example, a login screen on the display 506 . The operation accepting unit 24 accepts an administrator's operation on the second terminal device 30 (for example, inputting account information to a login screen).

The processing control unit 35 stores the login method used by the administrator, determines the login screen according to the past login method, and the like. Further, the subsequent processing is controlled depending on whether or not the login method is saved. The processing control unit 35 is implemented by the engine of the web browser 21 executing JavaScript (registered trademark) included in the screen information.

Since the browser information storage unit 36 may be the same as that of the first terminal device 20, the description thereof is omitted.

<<Electronics>>
The electronic device 10 has a third communication section 12 , a display control section 13 , an operation reception section 14 and a processing control section 15 . The electronic device 10 implements functional blocks as shown in FIG. 5 by executing a program (for example, the web browser 11).

The third communication unit 12 communicates with the information processing system 50 to receive screen information for the electronic device 10 to display a standby screen, a launcher screen, a login screen, an application screen, and the like. In addition, information input by the user to the standby screen, launcher screen, login screen, and application screen is transmitted to the information processing system 50 .

The display control unit 13 analyzes screen information received from the information processing system 50 and displays, for example, a standby screen, a launcher screen, a login screen, and an application screen on the operation panel 940 . The operation accepting unit 14 accepts a user's operation on the electronic device 10 (for example, activation of a launcher, input of account information, selection of an application, operation on an application, etc.).

The processing control unit 15 and the browser information storage unit 16 are assumed to be the same as those of the first terminal device 20 . In addition, since the electronic device 10 is shared by a plurality of users, the user information (user ID/password, manual input, IC card , information acquired by the device using the authentication device) and the device authentication result using the Web browser 11 or another application of the electronic device 10, by sending to the information processing system 50, the tenant corresponding to the user information and display the login screen using the login method permitted by the tenant. Alternatively, when using the web browser 11 or another application of the electronic device 10, the device identification information (machine number) or tenant identification information stored in the electronic device 10 can be transferred to the web browser 11 or another application of the electronic device 10. acquires and transmits to the information processing system 50, the tenant corresponding to the device may be identified. In these cases, the information processing system 50 assumes that tenant identification information, device identification information, user information, etc. of tenants are all associated and stored.

<<Information Processing System>>
The information processing system 50 has a fourth communication unit 52 , a screen information generation unit 53 , a user information management unit 54 , a tenant information management unit 55 and an authentication/authorization unit 56 . These functions of the information processing system 50 are functions or means implemented by the CPU 501 of the computer 500 shown in FIG.

The fourth communication unit 52 transmits and receives various information to and from the first terminal device 20 , the second terminal device 30 and the electronic device 10 . For example, the screen information of the login screen is transmitted to the first terminal device 20 or the second terminal device 30 and the account information is received from the first terminal device 20 or the second terminal device 30 . Also, the screen information of the standby screen, the launcher screen, the login screen, and the application screen is transmitted to the electronic device 10 . It also receives information entered on these screens.

The screen information generation unit 53 generates screen information for a login screen and a top screen (portal screen), and transmits the screen information to the first terminal device 20 or the second terminal device 30 via the fourth communication unit 52 .

The user information management unit 54 manages generation, update, acquisition, and deletion of user information in the user information storage unit 57 . The tenant information management unit 55 similarly manages information on the tenant to which the user belongs in the tenant information storage unit 58 . User information and tenant information associate users and tenants.

The authentication/authorization unit 56 authenticates the administrator or user based on the account information and determines whether the authentication succeeds or fails. Authentication means judging whether a user is a legitimate authorized person. In the case of this embodiment, whether or not the user has the authority to use the information processing system 50, and furthermore, whether the user or the administrator can be determined. Authorization refers to determining the authority granted to a user according to the user's role (described later). For example, accessible resources and executable operations are determined.

Note that the information processing system 50 permits the user to log in to the information processing system 50 when the authentication is successful. Login is an authentication act to access system resources using pre-registered account information when using various services on a computer or on the Internet. The account information differs depending on the above login methods (A) to (D).
In the case of "(A) email address and password", it is the email address and password, and in the case of "(B) tenant ID, user ID and password", it is the tenant ID, user ID and password. In the case of "(C) use external service", there is no particular account information to be entered by the user, but the user ID and password for the external service 70 are the account information. In the case of "(D) all", it may be the one corresponding to each login method.

In addition, the account information includes biometric authentication information such as fingerprints and faces, and in this case, a login method corresponding to the biometric authentication information is prepared.

In the information processing system 50, a user information storage unit 57 and a tenant information storage unit 58 realized by the HD 504, RAM 503, etc. shown in FIG. 3 are constructed. These will be explained using Tables 2 and 3.

表２はユーザ情報記憶部５７に記憶されているユーザ情報の一例を示す。
・テナントＩＤ：ユーザの所属するテナントを示す識別情報である。ＩＤはIdentificationの略であり識別子や識別情報という意味である。ＩＤは複数の対象から、ある特定の対象を一意的に区別するために用いられる名称、符号、文字列、数値又はこれらのうち１つ以上の組み合わせをいう。テナントＩＤ以外のＩＤについても同様である。
・ユーザＩＤ：テナント内でユーザを一意に示す識別情報である。テナント内で一意であるため、異なるテナント間では重複してよい。
・パスワード：アカウント情報の一部となる場合がある。
・パスワード設定済みかどうかのフラグ：パスワードが設定されるとＴｒｕｅ、されていなければＦａｌｓｅとなる。
・姓：ユーザの姓（名字）である。
・名：ユーザの名である。
・メールアドレス：ユーザのメールアドレスである。メールアドレスは世界的に一意なため、異なるテナント間でも重複しない。このため従来からユーザを識別する識別情報として使用される場合が多い。
・表示言語：端末装置が各種の画面、メールを表示する場合の文字の言語である。
・国：ユーザが所属する国や地域である。
・状態：ユーザのアカウントの状態である。アカウントはユーザが情報処理システム５０にログインするための権利のことである。アカウントの状態には「有効、無効又はアカウントロック」の少なくとも３つがある。ユーザ情報が仮登録されると無効となり、本登録により有効となる。有効となった後も管理者が無効に設定できる。アカウントロックは、有効な状態でユーザがパスワードを何回か間違えた場合に設定される。アカウントロックは、例えば、一定期間の経過で有効に戻る点、又は、テナントに所属するユーザとしてカウントされたままである点で無効と異なる。なお、無効な状態は、有効期限が切れている等の場合がある。
・タイムゾーン：ユーザが活動する国又は地域のタイムゾーン（ＵＴＣ：協定世界時）である。
・ロール：役割という意味であるが、どのような権限を有しているかを示す。本実施形態では管理者又は一般ユーザがある。本実施形態では一般ユーザと管理者を特に区別しない場合はユーザと称している。
・UUID（Universally Unique Identifier）：ユーザを一意に示す識別情報であり、情報処理システム５０がユーザを識別する場合に使用する。
・外部サービスアカウント情報：ユーザが連携登録してある外部サービス７０におけるアカウントの情報である（外部サービス７０における識別情報）。
・利用可能なサービス権限情報一覧：ユーザが利用可能なサービスの一覧である。

Table 2 shows an example of user information stored in the user information storage unit 57 .
· Tenant ID: identification information indicating the tenant to which the user belongs. ID is an abbreviation for Identification and means an identifier or identification information. An ID is a name, a code, a character string, a numerical value, or a combination of one or more of these used to uniquely distinguish a specific object from a plurality of objects. The same applies to IDs other than the tenant ID.
User ID: Identification information that uniquely indicates a user within a tenant. Since it is unique within a tenant, it may overlap between different tenants.
・Password: May be part of account information.
A flag indicating whether or not a password has been set: True if a password has been set, and False if not.
Surname: The user's surname (surname).
First Name: The first name of the user.
- E-mail address: This is the user's e-mail address. Since email addresses are globally unique, they do not overlap between different tenants. For this reason, it has often been used as identification information for identifying users.
- Display language: This is the language of characters used when the terminal device displays various screens and mails.
- Country: The country or region to which the user belongs.
• State: The state of the user's account. An account is a right for a user to log into the information processing system 50 . There are at least three account states: 'valid, invalid, or account locked'. Once the user information is provisionally registered, it becomes invalid, and becomes valid after the official registration. Even after it is enabled, it can be disabled by the administrator. Account lock is set when the user enters an incorrect password several times while enabled. An account lock differs from an invalid account in that, for example, it becomes valid again after a certain period of time has passed, or in that it continues to be counted as a user belonging to the tenant. Note that the invalid state may be, for example, that the validity period has expired.
- Time zone: the time zone (UTC: Coordinated Universal Time) of the country or region where the user is active.
・Role: It means a role, but indicates what kind of authority it has. In this embodiment, there are administrators and general users. In the present embodiment, general users and administrators are referred to as users when there is no particular distinction between them.
UUID (Universally Unique Identifier): Identification information that uniquely indicates a user, and is used when the information processing system 50 identifies the user.
- External service account information: information of an account in the external service 70 with which the user has been linked and registered (identification information in the external service 70).
- List of available service authority information: a list of services available to the user.

表３（ａ）はテナント情報記憶部５８に記憶されているテナント情報の一例を示す。
・テナントＩＤ：表２と同様である。
・テナント名：テナントの名前（ユーザが呼ぶ時の呼称）である。
・表示言語：画面、メールなどの文字を表示する際の言語である。
・国：テナントが所属する国や地域である。
・状態：テナントの状態には有効と無効がある。無効は契約終了などでテナントがサービスを受けられない状態である。
・タイムゾーン：テナントが活動する国や地域のタイムゾーン（ＵＴＣ）である。
・ログイン設定：情報処理システム５０へユーザがログインする際にテナントが許可するログイン方法である（表３（ｂ）参照）。

Table 3(a) shows an example of tenant information stored in the tenant information storage unit 58. As shown in FIG.
· Tenant ID: Same as Table 2.
· Tenant name: This is the name of the tenant (the name when called by the user).
- Display language: This is the language for displaying characters on screens, emails, and the like.
- Country: The country or region to which the tenant belongs.
- Status: Tenant status can be valid or invalid. Disabled is a state in which the tenant cannot receive the service due to termination of the contract or the like.
- Time zone: The time zone (UTC) of the country or region where the tenant operates.
- Login setting: This is the login method permitted by the tenant when the user logs into the information processing system 50 (see Table 3(b)).

Table 3(b) shows an example of login settings. As shown in Table 3(b), in the login settings, flags indicate login methods permitted by a tenant for users belonging to the tenant. Since this flag is transmitted from the information processing system 50 to the first terminal device 20 or the second terminal device 30, the first terminal device 20 or the second terminal device 30 is permitted by the tenant (user). You can determine how to log in.

As shown in FIG. 6, the login method of the tenant information storage unit 58 can be set by the administrator for each tenant. FIG. 6 is an example of the login method setting screen 400 displayed by the second terminal device 30 operated by the administrator. On the login method setting screen 400, check boxes 401 are associated with "all", "mail address/password", "tenant ID/user ID/password", and "use external service". Administrators can set the login method for the tenants they manage.

<Procedure for displaying the login screen>
A flow for the user to display the login screen on the first terminal device 20 or the second terminal device 30 will be described with reference to FIG. The login flow is the same regardless of whether the user is a general user or an administrator. FIG. 7 is a sequence diagram showing a procedure for the user to operate the first terminal device 20 to display the login screen.

S1: The user operates the first terminal device 20 to communicate with the information processing system 50 . For example, the URL of the information processing system 50 is designated or selected from favorites.

S2: The operation reception unit 24 of the first terminal device 20 receives the operation and notifies the processing control unit 25 of the web application acquisition processing. For example, a process for making an HTTP request and the URL of the information processing system 50 are notified.

S3: The processing control unit 25 requests the first communication unit 22 to acquire the login screen by designating the above URL.

S4: The first communication unit 22 requests the information processing system 50 to acquire a login screen.

S5: The fourth communication unit 52 of the information processing system 50 receives the login screen acquisition request and requests the screen information generation unit 53 to generate the login screen.

S6: The screen information generation unit 53 generates screen information of a login screen that can be displayed by the first terminal device 20 and transmits the screen information to the fourth communication unit 52 . The login screen that can be displayed by the first terminal device 20 is a login screen corresponding to login settings managed by the tenant information storage unit 58 . At this point, it is unknown which login screen the user will use, so screen information for all login screens that can be set by the administrator in the information processing system 50 is generated. Each login screen is associated with login setting identification information (for example, a flag).

S7: The fourth communication unit 52 transmits screen information of the login screen to the first terminal device 20 .

S8: The first communication section 22 of the first terminal device 20 receives the screen information of the login screen and transmits it to the processing control section 25 .

S9, S10: The processing control unit 25 acquires the login method from the browser information storage unit 26. FIG. That is, since the flag is determined to be "email", "userId", "external", or "all", the browser information storage unit 26 is searched for this flag, and if it matches, it is acquired. The number of flags stored is one because it is the login method that the user used last (or in the past). The processing control unit 25 determines the login method saved in the past as the login method used by the user.

If the user has never logged in before, or if the browser information storage unit 26 of the web browser has been deleted, the login method is not stored in the browser information storage unit 26 . Processing in this case will be described using steps S11 to S29.

S11: When the login method is not stored in the browser information storage unit 26, in order for the processing control unit 25 to identify the tenant to which the user belongs, an e-mail address input screen is selected from among the login screens acquired from the information processing system 50. It selects and instructs the display control unit 23 . The e-mail address input screen is a screen for inputting an e-mail address among the login screens. An example of the e-mail address input screen is shown in FIG.

S12: The display control unit 23 generates the instructed e-mail address input screen and displays it on the display 506. FIG.

S13: When the user inputs the e-mail address on the e-mail address input screen, the operation accepting unit 24 accepts it.

S14: The operation reception unit 24 transmits the mail address to the processing control unit 25.

S15: The processing control unit 25 requests the first communication unit 22 to set the login in the tenant to which the user belongs together with the e-mail address. The processing control unit 25 temporarily holds the e-mail address so that the user does not have to enter the e-mail address on the subsequent login screens A1 and B1. For example, there is a mechanism called sessionStorage.

S16: The first communication unit 22 requests the information processing system 50 for login settings together with the e-mail address.

S17: The fourth communication unit 52 of the information processing system 50 receives the request for the e-mail address and login setting, and requests the user information by designating the e-mail address from the user information management unit 54 .

S18, S19: The user information management unit 54 searches the user information storage unit 57 with the e-mail address to acquire user information having the e-mail address.

S20, S21: The user information management unit 54 transmits the user information to the tenant information management unit 55, and the tenant information management unit 55 searches the tenant information storage unit 58 with the tenant ID included in the user information. Therefore, the tenant information management unit 55 acquires tenant information to which the user belongs.

S22-S24: The information processing system 50 transmits the login settings included in the tenant information to the first terminal device 20. FIG.

S25: The processing control unit 25 of the first terminal device 20 determines a login screen corresponding to the login method permitted by the login settings acquired in step S24 from among the login screens acquired in step S8. The display control unit 23 is requested to display this login screen. When requesting the login screens A1 and B1, the retained e-mail address is also transmitted to the display control unit 23 . If multiple login methods are allowed, the login screen displayed will correspond to the multiple login methods.

S26: When the login method is "(A) email address and password", the display control unit 23 displays the login screen A1. An example of the login screen A1 is shown in FIG.

S27: When the login method is "(B) tenant ID, user ID and password", the display control unit 23 displays the login screen B1. An example of the login screen B1 is shown in FIG.

S28: When the login method is "(C) use external service", the display control unit 23 displays the login screen C1. An example of the login screen C1 is shown in FIG.

S29: When the login method is "(D) all", the display control unit 23 displays the login screen D1. An example of the login screen D1 is shown in FIG.

Next, a case where the login method is stored in the browser information storage unit 26 will be described. When the login method is saved, in step S10, the processing control unit 25 determines a login screen corresponding to the saved login method from among the login screens acquired in step S8. In steps S30, 32 and 34, the display control unit 23 is requested to display this login screen.

S31: When the login method stored in the browser information storage unit 26 is "(A) email address and password", the display control unit 23 displays the login screen A2. An example of the login screen A2 is shown in FIG.

S33: When the login method stored in the browser information storage unit 26 is "(B) tenant ID, user ID and password", the display control unit 33 displays the login screen B2. An example of the login screen B2 is shown in FIG.

S35: When the login method stored in the browser information storage unit 26 is "(C) Use external service", the display control unit 23 displays the login screen C2. An example of the login screen C2 is shown in FIG.

Thus, the first terminal device 20 can display the login screen corresponding to the saved login method.

<Screen example of login screen>
Screen examples of the login screen will be described with reference to FIGS. 8 to 16. FIG. FIG. 8 is an example of an e-mail address input screen 410 that is part of the login screen. The email address entry screen 410 has an email address entry field 411 and a next button 412 . A mail address entry field 411 is a field for the user to enter his/her own mail address. The next button 412 is a button for the first terminal device 20 to send the input e-mail address to the information processing system 50 .

FIG. 9 shows an example of the login screen A1. The login screen A1 has an email address presentation section 421, a password entry field 422, and a login button 423. FIG. The e-mail address that the user has entered on the e-mail address input screen 410 is displayed in the e-mail address presentation section 421 . This way you don't have to enter the same email address multiple times. The user can also return to the email address entry screen 410 . A password entry field 422 is a field for the user to enter his password. The login button 423 is a button for the first terminal device 20 to request a login by sending the email address and password to the information processing system 50 .

FIG. 10 shows an example of the login screen B1. The login screen B1 has an email address presentation section 421, a tenant ID entry field 424, a user ID entry field 425, a password entry field 422, and a login button 423. The e-mail address presentation section 421 displays the e-mail address entered by the user on the e-mail address input screen. This eliminates the need to enter the same email address multiple times (however, the email address need not be sent to the information processing system 50). It is also possible to return to the email address input screen 410 . A tenant ID input field 424 is a field for inputting the tenant ID of the tenant to which the user belongs. A user ID input field 425 is a field for inputting a user ID in the tenant to which the user belongs. A password entry field 422 is a field for the user to enter his password. The login button 423 is a button for the first terminal device 20 to send the tenant ID, user ID, and password to the information processing system 50 to request login.

FIG. 11 shows an example of the login screen C1. The login screen C1 has an email address presentation section 421 and an external service login button 426 . The e-mail address that the user has entered on the e-mail address input screen 410 is displayed in the e-mail address presentation section 421 . This eliminates the need to enter the same email address multiple times (however, the email address need not be sent to the information processing system 50). The external service login button 426 is a button for the first terminal device 20 to request login to the information processing system 50 using the external service 70 . After this, the first terminal device 20 is redirected to the external service 70 .

FIG. 12 shows an example of the login screen D1. The login screen D1 has an email address entry field 411, a password entry field 422, a login button 423, a user ID login button 431, and an external service login button 426. FIG. The email address input field 411 displays the email address that the user has entered on the email address input screen 410 . This way you don't have to enter the same email address multiple times. A password entry field 422 is a field for the user to enter his password. The login button 423 is a button for the first terminal device 20 to request a login by sending the email address and password to the information processing system 50 .

A user ID login button 431 is a button for displaying the login screen B1 in FIG. The external service login button 426 is a button for the first terminal device 20 to request login to the information processing system 50 using the external service 70 . Thus, when the login method is "all", the user can switch the login screen.

FIG. 13 shows an example of the login screen A2. The login screen A2 has an email address entry field 411, a password entry field 422, a login button 423, and a "confirm another login method" button 432. FIG. A mail address entry field 411 is a field for the user to enter his/her own mail address. If the login method is stored in the browser information storage unit 26, the user has not yet entered an email address, so no email address is displayed in the email address input field 411. FIG. However, the web browser has a function of holding the e-mail address input by the user in the past, and the e-mail address may be displayed by the function of the web browser. The password entry field 422 and login button 423 are the same as those on the login screen A1. The 'confirm another login method button' 432 is a button for the user to confirm another login method (login method permitted by the tenant) other than the login method stored in the browser information storage unit 26.

FIG. 14 shows an example of the login screen B2. The login screen B2 has a tenant ID entry field 424, a user ID entry field 425, a password entry field 422, a login button 423, and a "confirm another login method" button 432. These are the same as the login screen B1. The 'confirm another login method button' 432 is the same as the login screen A2.

FIG. 15 shows an example of the login screen C2. The login screen C2 has an external service login button 426 and a 'confirm another login method button' 432 . These are the same as the login screen C1. The 'confirm another login method button' 432 is the same as the login screen A2.

FIG. 16 is an example of a login screen F displayed when a plurality of login methods are permitted. This login screen F corresponds to "(A) mail address and password" and "(C) use of external service" as permitted login methods. Therefore, the login screen F has an e-mail address entry field 411, a password entry field 422, and a login button 426 with an external service. In this way, when a plurality of login methods are permitted, the first terminal device 20 can display a login screen corresponding to the plurality of login methods, so that the user can log in by selecting the method he or she desires to log in.

<Operation and processing up to login>
Next, with reference to FIG. 17, after the process of the sequence diagram of FIG. 7, the user logs in with each login method and the flow of saving the login method in the browser information storage unit 26 will be described. FIG. 17 is an example of a sequence diagram illustrating login processing corresponding to each login method. The processing in FIG. 17 is executed subsequent to FIG.

S1, S2: The user enters a password on the login screen A1, a tenant ID, user ID and password on the login screen B1, an email address and password on the login screen A2, and a tenant ID, user ID and password on the login screen B2. . The operation reception unit 24 receives these inputs. The operation reception unit 24 of the first terminal device 20 transmits these account information to the processing control unit 25 to request login processing.

Steps S3 to S8 are executed when the login method is "(A) email address and password" or "(B) tenant ID, user ID and password".

S3 to S5: The processing control unit 25 requests the information processing system 50 to request authentication together with the account information. The account information and the authentication request are transmitted to the authentication/authorization section 56 via the first communication section 22 and the fourth communication section 52 . The authentication/authorization unit 56 determines that the authentication is successful when the account information is stored in the user information storage unit 57, and determines that the authentication is unsuccessful when the account information is not stored.

In step S3, the processing control unit 25 temporarily stores the login method used by the user. As will be described in step S55, this is for determining whether or not the login settings saved in the browser information storage unit 26 are included in the tenant's login settings. The login method used by the user may be determined from the login screen used by the user, or may be determined from account information to be transmitted. Note that saving may be performed in step S8.

S6-S8: If the authentication/authorization unit 56 succeeds in the authentication, it sends a notification to the first terminal device 20 that the authentication has succeeded. In FIG. 17, authentication information indicates that authentication has succeeded.

Steps S9 to S38 are executed when "(C) use external service" is the login method. Similarly, in step S9, the processing control unit 25 temporarily stores the login method used by the user. It may be saved in step S38.

S9-S10: The user presses the login button 426 in the external service on the login screens C1 and C2. The operation accepting unit 24 accepts pressing. A login request for the external service 70 is transmitted to the authentication/authorization unit 56 via the first communication unit 22 and the fourth communication unit 52 .

S11-S14: Since the authentication/authorization unit 56 has received the fact that the login button 426 has been pressed in the external service, it transmits a redirect to the external service 70 together with the previously known URL of the external service 70 to the first terminal device 20. do. The URL of the external service 70 and a redirect request to the external service 70 are transmitted to the processing control section 25 via the first communication section 22 and the fourth communication section 52 . The information processing system 50 and the external service 70 hold common tickets in advance for identifying each user.

S15-S20: The processing control unit 25 redirects to the external service 70 based on the URL of the external service 70. FIG. That is, the processing control unit 25 redirects to the external service 70 and acquires the screen information of the login screen of the external service 70 . The login screen for the external service 70 varies depending on the external service 70 .

S21, S22: The processing control unit 25 transmits the screen information of the login screen of the external service 70 to the display control unit 23, and the display control unit 23 displays the login screen of the external service 70. FIG.

S23: The user executes login from the login screen of the external service 70. The operation accepting unit 24 accepts a login operation. In general, sites that require login, such as the external service 70 , store account information in cookies or local storage, and the user does not need to enter account information on the login screen of the external service 70 . Therefore, when the user uses the external service, the user only needs to press the login button 426 on the external service.

S24-S27: The operation reception unit 24 transmits the pre-stored account information and authentication request to the external service 70 via the processing control unit 25, the first communication unit 22, and the fourth communication unit 52. The external service 70 authenticates the user and, in case of successful authentication, obtains the ticket associated with this user. A ticket is proof of identity for this user. Note that an authentication cooperation service such as OAUTH is known as a mechanism for such external authentication, and it is assumed that OAUTH or the like can also be used in this embodiment.

S28-S30: The external service 70 sends the ticket to the first terminal device 20. In FIG. 17, the ticket is represented by authentication information.

S31-S33: The processing control unit 25 uses the ticket (authentication information) received from the external service 70 to request the authentication/authorization unit 56 for authentication. The authentication request is transmitted to the authentication/authorization section 56 via the first communication section 22 and the fourth communication section 52 .

S34: The authentication/authorization unit 56 requests the external service 70 to authenticate the authentication information (confirms whether this authentication information was issued by the external service 70). If authentication by the external service 70 succeeds, login to the information processing system 50 is permitted. Also, the ticket identifies the user.

S35-S38: The authentication/authorization unit 56 transmits to the first terminal device 20 authentication information indicating whether or not the authentication was successful. The authentication information is transmitted to the processing control section 25 via the first communication section 22 and the fourth communication section 52 .

S39-S41: The processing control unit 25 requests the information processing system 50 to issue an authorization request when the authentication is successful. Authorization is the scope of resources that a user can access (what rights the user has). The processing control unit 25 transmits an authorization request to the information processing system 50 together with the authentication information. The authorization request is transmitted to the authentication/authorization section 56 via the first communication section 22 and the fourth communication section 52 .

S42-S44: For users with login methods (A) and (B), the authentication/authorization unit 56 determines the user information roles and A list of available service authority information is transmitted to the first terminal device 20 . For the user of login method (C), the user is identified by a ticket, a token (identification information for identifying the user) is issued, and similar information is transmitted to the first terminal device 20 . Hereinafter, the role of user information and the list of available service authorization information will be referred to as authorization information.

S45-S47: After acquiring the authorization information, the processing control unit 25 designates the user identification information (e-mail address, user ID and tenant ID, or token), and sets the login settings of the tenant to which the user belongs to the information processing system 50. request to. Authorization information is sent to inform the user of the information that can be accessed. A login setting request is transmitted to the information processing system 50 via the first communication unit 22 and the fourth communication unit 52 .

S48, S49: The user information management unit 54 acquires user information from the user information storage unit 57 of the user identified by the user identification information.

S50, S51: The user information management unit 54 transmits the user information to the tenant information management unit 55, and the tenant information management unit 55 searches the tenant information storage unit 58 with the tenant ID included in the user information. Therefore, the tenant information management unit 55 acquires tenant information to which the user belongs.

S52-S54: The information processing system 50 transmits the login settings included in the tenant information to the first terminal device 20. FIG.

The processing control unit 25 determines whether or not the login setting used by the user is permitted by the tenant's login setting. This is because the tenant's login setting may be changed, and in such a case, the process control unit 25 preferably changes the user's login method. The determination method may be a method of determining whether or not the login settings used by the user are included in the tenant login settings. The login settings used by the user are not included in the tenant login settings because the login method stored in the browser information storage unit 26 is used. It is the same as determining whether the login method that was specified is included.

S55: If the login setting used by the user is not permitted by the tenant's login setting, the processing control unit 25 saves the tenant's login setting in the browser information storage unit . If there are multiple tenant login settings, all of them may be stored.

S57: If the login setting used by the user is permitted by the tenant login setting, the processing control unit 25 stores the login method temporarily saved in step S3 or S8, step S9 or S38 in the browser information storage unit 26. save.

S59-S66: Next, the processing control unit 25 requests the information processing system 50 for the top screen (portal screen). The screen information generation unit 53 of the information processing system 50 refers to the user information storage unit 57 to generate screen information including an icon that allows the user identified by the user identification information to execute a service that is permitted. Send to the terminal device 20 . In this way, the portal screen corresponding to the logged-in user can be displayed. An example of the top screen is shown in FIG.

<Example of top screen>
18A shows an example of the top screen 460 displayed by the first terminal device 20, and FIG. 18B shows an example of the top screen 310 displayed by the second terminal device 30. FIG. When the authentication is successful as described with reference to FIG. 17, the first terminal device 20 displays the top screen 460. FIG. The top screen 460 displays a list 311 of applications corresponding to services permitted in the "list of available service authority information" in the user information.

The top screen 310 for the administrator has a setting button 312, which is the same for the administrator. When the administrator presses the setting button 312, buttons for user management 313, application authority management (user) 314, application authority management (device) 315, and tenant information 316 are displayed. User management 313 is a button for displaying a user management screen for the administrator to manage users. Application usage authority management (user) 314 is a button for displaying a screen for managing which user can use which application. An application usage authority management (device) 315 is a button for displaying a screen for managing which electronic devices 10 can use the application. The tenant information 316 is a button for displaying a screen for displaying the contract details of the tenant and the like.

<Confirm another login method>
Even when the login screen of the login method stored in the browser information storage unit 26 is displayed, the user may want to check if there is another login method permitted by the tenant. For this reason, the login screens A2, B2, and C2 have a 'confirm another login method button' 432 button. The following describes the processing when the 'confirm another login method button' 432 is pressed.

FIG. 19 is an example of a sequence diagram showing processing executed by the first terminal device 20 and the information processing system 50 when the "confirm another login method button" 432 is pressed. The process of FIG. 19 starts after the login screen is displayed in steps S31, S33 and S35 of FIG.

S1: The user presses the "confirm another login method button" 432 on the login screens A2, B2, and C2. The operation accepting unit 24 accepts pressing.

S2: The operation reception unit 24 transmits a confirmation request for another login method to the processing control unit 25 .

S3: Since it is necessary for the information processing system 50 to identify the user in order to identify the tenant, the processing control unit 25 selects the email address input screen (FIG. 8) and requests the display control unit 23 to display it.

S4: The display control unit 23 displays the mail address input screen 410. FIG.

S5: The user enters an e-mail address on the e-mail address entry screen 410 . The operation reception unit 24 receives input.

S6: The operation reception unit 24 transmits a login setting acquisition request to the processing control unit 25 together with the e-mail address.

S7 to S9: The processing control unit 25 designates an e-mail address and transmits a login setting acquisition request to the information processing system 50 . The first communication unit 22 and the fourth communication unit 52 transmit a request to acquire the e-mail address and login settings to the user information management unit 54 .

S10, S11: The user information management unit 54 acquires user information specified by the mail address from the user information storage unit 57. FIG.

S12, S13: The user information management unit 54 transmits the user information to the tenant information management unit 55, and the tenant information management unit 55 searches the tenant information storage unit 58 with the tenant ID included in the user information. Therefore, the tenant information management unit 55 acquires tenant information to which the user belongs.

S14-S16: The information processing system 50 transmits the login settings included in the tenant information to the first terminal device 20. FIG. The first communication unit 22 and the fourth communication unit 52 transmit tenant login settings to the processing control unit 25 .

S17: The processing control unit 25 requests the display control unit to display the login screen corresponding to the login method permitted by the login settings of the tenant from among the login screens obtained in step S8 of FIG.

S18: When the login method permitted by the tenant is "(A) email address and password", the display control unit 23 displays the login screen A1 (FIG. 9).

S19: When the login method permitted by the tenant is "(B) tenant ID, user ID and password", the display control unit 23 displays the login screen B1 (FIG. 10).

S20: When the login method permitted by the tenant is "(C) use external service", the display control unit 23 displays the login screen C1 (FIG. 11).

S21: When the login method permitted by the tenant is "(D) all", the display control unit 23 displays the login screen D1 (FIG. 12).

In this way, the user can confirm another login method and log in using a login method different from the login method stored in the browser information storage unit 26 . Since the login method is stored in the browser information storage unit 26, the login method can be changed from the next time.

Note that FIG. 19 describes the case where each login method is displayed one by one (FIGS. 9 to 11), but if multiple login methods are permitted, multiple A login screen F corresponding to the login method is displayed.

<Summary>
As described above, in the computer system 1 of the present embodiment, once the login method is saved, the user can log in to the login permitted by the tenant without entering information identifying the user, such as an email address. The first terminal device 20 or the second terminal device 30 can display a login screen corresponding to the method. In addition, even if the service provided by the information processing system allows selection of multiple login methods for each tenant, in order to present an appropriate login screen to the user, it is necessary to identify the tenant to which the user belongs from the user's identification information. However, once the login method is saved, the user does not have to enter the user's identifying information (e.g., email address) each time. For this reason, for example, when a service provided by the information processing system 50 cooperates with an external service and permits a user to log in using the user identification information of the external service, the user identification information in the service provided by the information processing system 50 is It is possible to eliminate the trouble of having the user input the user's identification information once in the service provided by the information processing system 50 when it is not necessary for login.

In the first embodiment, when the login method used by the user is not permitted by the tenant's login settings, the login method permitted by the tenant's login settings is stored in the browser information storage unit 26 . Therefore, the login itself is permitted, and the login screen changes from the next login. In this embodiment, when the login method used by the user is not permitted by the tenant's login settings, the information processing system 50 logs out the user and logs in using the login method permitted by the tenant's login settings. to explain.

In this embodiment, the hardware configuration diagrams of FIGS. 3 and 4 and the functional block diagram of FIG. 5 described in the above embodiment can be used.

<Processing to log out the user when the login method used by the user is not permitted in the tenant login settings>
FIG. 20 is a sequence diagram of the information processing system 50, when the login method used by the user is not permitted by the tenant's login settings, causes the user to log out and log in using the login method permitted by the tenant.

S1, S2: User logs in. After this, up to step S54 in FIG. 17 is executed up to step S3. The following processing is executed instead of steps S55 to S58 in FIG.

S3, S4: When the processing control unit 25 determines that the login method used by the user is not permitted by the tenant's login settings, the login method permitted by the tenant's login settings is stored in the browser information storage unit 26. do.

S5 to S7: The processing control unit 25 requests the information processing system 50 to perform logout processing by designating user identification information (eg, e-mail address, tenant ID and user ID, or token). The first communication unit 22 and the fourth communication unit 52 transmit requests for logout processing to the authentication/authorization unit 56 . The authentication/authorization unit 56 logs out the designated user. That is, it deletes the authorization information that has been granted for the user.

S8-S10: The authentication/authorization unit 56 notifies the first terminal device 20 that the authorization information has been deleted. The first communication unit 22 and the fourth communication unit 52 transmit to the processing control unit 25 that the authorization information has been deleted.

S11 to S16: In order to notify the user of logout, the processing control unit 25 requests the information processing system 50 to display the logout screen, and acquires the screen information of the logout screen.

S17, S18: The processing control unit 25 transmits the screen information of the logout screen to the display control unit 23, and the display control unit 23 displays the logout screen. An example of the logout screen is shown in FIG. The logout screen allows the user to know that he/she has logged out. In addition, since the logout screen again prompts the user to log in using the login method permitted by the tenant, the user can log in using the login method permitted by the tenant.

When the user presses the "login" button on the logout screen of FIG. 21, the subsequent processing is the same as steps S25 and S30 to S35 of FIG. The user logs in again using the login method permitted by the tenant from the newly displayed login screen. In this way, when a user logs in using a login method permitted by the tenant, the information processing system 50 can log out the user.

The process (steps S19-S28) when the login method used by the user is permitted by the tenant's login settings may be the same as steps S57-S66 in FIG.

FIG. 21 is a diagram showing an example of the logout screen 470. As shown in FIG. A logout screen 470 displays a message 471 that reads, "You have logged out because the login method has been changed by the administrator. Please log in again." When the user presses the "login" button 472, the screen transitions to the login screen.

<Summary>
As described above, in this embodiment, if the login method used by the user is not permitted by the tenant login settings, the information processing system 50 logs out the user. Therefore, the tenant login settings are strictly applied. , you can log in with the login method permitted by the tenant.

Since the tenant administrator can change the tenant login settings by himself/herself, only the administrator may be able to log in using various login methods regardless of the tenant login settings. In this embodiment, a computer system that displays all login screens that can be set by the administrator in the information processing system 50 when the administrator logs in will be described.

In this embodiment, the hardware configuration diagrams of FIGS. 3 and 4 and the functional block diagram of FIG. 5 described in the above embodiment can be used.

<Processing to display the login screen based on the user's role>
FIG. 22 is an example of a sequence diagram in which the first terminal device 20 changes the login screen displayed according to the tenant's login settings and the user's role.

S1 to S13: may be the same as S1 to S13 in FIG.

S14-S24: If the login method is not stored in the browser information storage unit 26, the processing control unit 25 specifies the email address entered by the user and requests the information processing system 50 for login settings and user roles. The processing flow is the same as steps S14 to S24 in FIG. 7, except that the user's role is also acquired. The user information management unit 54 acquires the role of the user specified by the email address from the user information storage unit 57 . The tenant's login settings and the user's role are sent to the processing control unit 25 .

S25: The processing control unit 25 determines the login screen according to the login method permitted in the login settings and the user's role.
The user's role is determined to display a login screen corresponding to all login methods that can be set by the administrator in the information processing system 50 . All login methods that can be set by the administrator in the information processing system 50 are the same as "(D) all".
・Determine to display the login screen corresponding to the login method permitted by the user role in the general user login settings.

S26: If the user's role is administrator, the display control unit 23 displays the login screen E1 corresponding to all login methods. An example of the login screen E1 is shown in FIG.

S27-S36: Same as steps S26-S35 in FIG.

Note that FIG. 22 describes the case where each login method is displayed one by one (FIGS. 9 to 11), but if multiple login methods are permitted, multiple A login screen F corresponding to the login method is displayed.

<Login screen displayed by the administrator's second terminal device>
FIG. 23 shows an example of the login screen E1. Since the login screen E1 supports all login methods, it is similar to the login screen D1 in FIG. Therefore, administrators can log in using their preferred login method.

<Confirm another login method>
Also in this embodiment, the user can check whether there is another login method permitted by the tenant. That is, when the user's role is administrator, the second terminal device 30 can display the login screen E1.

FIG. 24 is an example of a sequence diagram showing processing executed by the second terminal device 30 and the information processing system 50 when the "confirm another login method button" 432 is pressed. In the description of FIG. 24, mainly the difference from FIG. 19 will be described. The user presses the "confirm another login method button" 432 on the login screens A2, B2, and C2.

S1-S16: The processing of steps S1-S16 is the same as steps S1-S16 in FIG. However, it differs in that the user's role is transmitted to the second terminal device 30 . The user information management unit 54 acquires the role of the user specified by the email address from the user information storage unit 57 . The tenant's login settings and the user's role are sent to the processing control unit 35 .

S17: The processing control unit 35 determines the login screen according to the login method permitted in the login settings and the user's role.
The user's role is determined to display a login screen corresponding to all login methods that can be set by the administrator in the information processing system 50 .
・Determine to display the login screen corresponding to the login method permitted by the user role in the general user login settings.

S18: If the user's role is administrator, the display control unit displays the login screen E1 corresponding to all login methods (FIG. 23).

S19-S22: Same as steps S18-S21 in FIG.

<Save login method when user role is administrator>
If the user's role is administrator, the processing control unit 25 should store all login methods. Once all login methods are saved, the administrator can log in from the login screen E1 corresponding to all login methods without entering an e-mail address.

FIG. 25 is an example of a sequence diagram illustrating the process of saving all login methods by the second terminal device 30 when the logged-in user is the administrator.

Steps S1-S44 are the same as steps S1-S44 in FIG. Also, steps S45 to S53 are the same as steps S6 to S16 in FIG.

S54: The processing control unit 35 receives the tenant's login setting and the user's role.

S55, S56: If the user's role is administrator, the processing control unit 35 saves all login methods that can be set by the administrator in the browser information storage unit 26 regardless of the tenant's login settings.

S57, S58: If the user's role is a general user and the login settings used by the user are not included in the login settings permitted by the tenant, the process control unit 35 sets the login method permitted by the tenant to the browser. Save in the information storage unit 26 .

S59, S60: If the user's role is a general user and the login settings used by the user are included in the login settings permitted by the tenant, the processing control unit 35 stores the login method used by the user as browser information. Save in the storage unit 26 .

The processing of steps S61-S67 may be the same as steps S59-S66 of FIG.

In this way, if all login methods are stored in the case of an administrator, the administrator can log in from the login screen E1 corresponding to all login methods without entering an e-mail address.

<Summary>
According to this embodiment, when the administrator logs in, all login screens can be displayed, and the operability for the administrator can be improved.

Although the user has logged in using the login method saved in the browser information storage unit 26, the user may log in using a login method that is not permitted by the login settings of the tenant. In this case, the browser information storage unit 26 stores the login method permitted by the tenant's login settings, but the user may not have registered the account information used in the tenant's login settings. For example, when logging in with the external service 70, this is no longer permitted by the tenant's login settings, and a password is required as another login method, but the password is not registered in the user information. Alternatively, you logged in using a password-based login method, but this login method is no longer permitted by the tenant login settings, and you need to link with the external service 70 as another login method, but the external service 70 is registered in the user information. This is the case when there is no

Therefore, in this embodiment, a computer system 1 that can replenish necessary account information by a login method permitted by a tenant's login setting will be described.

In this embodiment, the hardware configuration diagrams of FIGS. 3 and 4 and the functional block diagram of FIG. 5 described in the above embodiment can be used.

<Additional processing of account information required for the login method permitted in the tenant login settings>
In FIG. 26, when a user logs in using a login method stored in the browser information storage unit 26, but logs in using a login method not permitted by the tenant login settings, the login method permitted by the tenant login settings is displayed. 1 is an example of a sequence diagram in which a user replenishes necessary account information in .

S1, S2: User logs in. After this, up to step S54 in FIG. 17 is executed up to step S3.

S3 to S5: The processing control unit 25 specifies user identification information (mail address, tenant ID and user ID, or token) and requests the information processing system 50 for user information. This is to determine whether a password has been set and whether cooperation with the external service 70 has been completed. The first communication unit 22 and the fourth communication unit 52 transmit requests for user information to the user information management unit 54 .

S6, S7: The user information management unit 54 acquires the user information specified by the user specifying information from the user information storage unit 57. FIG.

S8-S10: The user information management unit 54 transmits the user information to the first terminal device 20. FIG. The first communication section 22 and the fourth communication section 52 transmit user information to the processing control section 25 .

The following processing is executed instead of steps S55 to S58 in FIG.

S11, S12: When the processing control unit 25 determines that the login method used by the user is not permitted by the tenant's login settings, the login method permitted by the tenant's login settings is stored in the browser information storage unit 26. do.

Steps S13 to S30 are executed when "(A) email address and password" and "(B) tenant ID, user ID and password" are permitted, but the password is not registered.

S13-S18: The processing control unit 25 requests the information processing system 50 to display a password setting screen. The first communication unit 22 and the fourth communication unit 52 transmit requests for the password setting screen to the screen information generation unit 53 . The screen information generation unit 53 generates screen information of the password setting screen and transmits the screen information to the first terminal device 20 . The first communication unit 22 and the fourth communication unit 52 transmit screen information of the password setting screen to the processing control unit 25 .

S19: The processing control unit 25 transmits the screen information of the password setting screen to the display control unit 23. FIG.

S20: The display control unit 23 displays a password setting screen. An example of the password setting screen is shown in FIG.

S21: User enters password. The operation accepting unit 24 accepts input of a password.

S22: The operation reception unit 24 requests the processing control unit 25 to register a password.

S23-S26: The processing control unit 25 requests the information processing system 50 to register a password by designating information for specifying the user. The first communication unit 22 and the fourth communication unit 52 transmit password registration requests to the user information management unit 54 . The user information management unit 54 identifies a user by user identification information (mail address, tenant ID and user ID, or token), and registers a password as user information.

S27-S30: The user information management unit 54 sends a password registration completion to the first terminal device 20. FIG. The first communication unit 22 and the fourth communication unit 52 transmit password registration completion to the processing control unit 25 .

Steps S31 to S64 are executed when "(C) use of external service" is permitted but the external service 70 is not registered.

S31-S33: The processing control unit 25 requests the information processing system 50 to display an external service authentication cooperation screen. The request for the external service authentication cooperation screen is transmitted to the screen information generation unit 53 via the first communication unit 22 and the fourth communication unit 52 .

S34-S36: The screen information generating unit 53 generates screen information for the external service authentication cooperation screen and transmits it to the first terminal device 20. FIG. Screen information of the external service authentication cooperation screen is transmitted to the processing control unit 25 via the first communication unit 22 and the fourth communication unit 52 .

S37: The processing control unit 25 transmits the screen information of the external service authentication cooperation screen to the display control unit 23 .

S38: The display control unit 23 displays the external service authentication cooperation screen. An example of the external service authentication cooperation screen is shown in FIG.

S39: The user presses the authentication cooperation button. The operation accepting unit 24 accepts pressing.

S40: The operation reception unit 24 sends to the processing control unit 25 that the authentication cooperation button has been pressed.

S41-S43: The processing control unit 25 requests the information processing system 50 to perform external service authentication cooperation processing. A request for external service authentication cooperation processing is transmitted to the authentication/authorization unit 56 via the first communication unit 22 and the fourth communication unit 52 .

S44-S46: Since the authentication/authorization unit 56 has received the request for the external service authentication cooperation processing, it sends a redirect to the external service 70 to the first terminal device 20 together with the previously known URL of the authentication cooperation screen of the external service 70. Send. The URL of the authentication cooperation screen of the external service 70 and a redirect request to the external service 70 are transmitted to the processing control unit 25 via the first communication unit 22 and the fourth communication unit 52 . Note that the authentication/authorization unit 56 transmits a ticket specifying the user to the first terminal device 20 in advance.

S47-S50: The processing control unit 25 redirects to the authentication cooperation screen of the external service 70 based on the URL of the authentication cooperation screen of the external service 70. FIG. That is, the processing control unit 25 redirects to the external service 70 and acquires the screen information of the authentication collaboration screen of the external service 70 .

S51, S52: The processing control unit 25 transmits the screen information of the authentication cooperation screen of the external service 70 to the display control unit 23, and the display control unit 23 displays the authentication cooperation screen of the external service 70.

S53: The user enables authentication federation of the external service 70 from the authentication federation screen of the external service 70 . The operation accepting unit 24 accepts an operation. In general, a site that requires login, such as the external service 70 , saves account information in cookies or the like, and the user does not need to input account information to the external service 70 . Therefore, when the user uses the external service, the user only needs to press the login button 426 on the external service.

S54-S56: The operation reception unit 24 sends the account information and the authentication request stored as cookies, etc., to the processing control unit 25, the first communication unit 22, and the processing control unit 25, the first communication unit 22, and It transmits to the external service 70 via the fourth communication unit 52 . When the external service 70 authenticates the user and the authentication succeeds, authentication cooperation is enabled for the user specified by the information specifying the user.

S57, S58: The external service 70 transmits to the first terminal device 20 that the authentication cooperation has been validated.

S59-S61: The processing control unit 25 transmits registration of authentication cooperation to the information processing system 50 together with the ticket. The ticket and the authentication cooperation registration request are transmitted to the authentication/authorization unit 56 via the first communication unit 22 and the fourth communication unit 52 .

S62-S64: The authentication/authorization unit 56 enables authentication cooperation for the user specified by the ticket, and transmits to the first terminal device 20 a message indicating that authentication cooperation has been set (completion of registration of authentication cooperation information). The authentication cooperation information registration completion is transmitted to the processing control unit 25 via the first communication unit 22 and the fourth communication unit 52 .

The processing of S65-S74 may be the same as steps S57-S66 of FIG.

<Password setting screen>
FIG. 27 is an example of the password setting screen 480. As shown in FIG. The password setting screen 480 has a password setting field 481 and a password confirmation field 482 . The processing control unit 25 verifies the number of characters in the password and the types of characters that make up the password, and if the passwords in the password setting column 481 and the password confirmation column 482 are the same, accepts the password setting.

<External service authentication federation screen>
FIG. 28 is an example of an external service authentication cooperation screen 490. As shown in FIG. The external service authentication cooperation screen 490 has an authentication cooperation button 491 . The authentication cooperation button 491 is a button for enabling authentication cooperation by the external service 70 .

<Summary>
As described above, the computer system 1 of the present embodiment logs in using the login method stored in the browser information storage unit 26, but if the user logs in using a login method not permitted by the tenant's login settings, the tenant You can supplement the necessary account information with the login methods allowed in the login settings of

<Other application examples>
Although the best mode for carrying out the present invention has been described above using examples, the present invention is by no means limited to such examples, and various modifications can be made without departing from the scope of the present invention. and substitutions can be added.

The configuration example of FIG. 5 etc. is divided according to the main functions in order to facilitate understanding of the processing by the first terminal device 20, the second terminal device 30, the electronic device 10, and the information processing system 50. It is a thing. The present invention is not limited by the division method or name of the unit of processing. The processing of the first terminal device 20, the second terminal device 30, the electronic device 10, and the information processing system 50 can also be divided into more processing units according to the content of the processing. Also, one processing unit can be divided to include more processing.

Moreover, the devices described in the examples are only representative of one of several computing environments for implementing the embodiments disclosed herein. In some embodiments, information handling system 50 includes multiple computing devices, such as a server cluster. Multiple computing devices are configured to communicate with each other over any type of communication link, including a network, shared memory, etc., to perform the processes disclosed herein.

Further, information handling system 50 can be configured to share the disclosed processing steps, eg, FIGS. 7, 17, 19, 20, 22, and 24-26, in various combinations. For example, a process executed by a given unit may be executed by multiple information processing devices included in the information processing system 50 . Further, the information processing system 50 may be integrated into one server device, or may be divided into a plurality of devices.

Each function of the embodiments described above may be implemented by one or more processing circuits. Here, the "processing circuit" in this specification means a processor programmed by software to perform each function, such as a processor implemented by an electronic circuit, or a processor designed to perform each function described above. Devices such as ASIC (Application Specific Integrated Circuit), DSP (Digital Signal Processor), FPGA (Field Programmable Gate Array) and conventional circuit modules are included.

1 Computer System 10 Electronic Device 20 First Terminal Device 30 Second Terminal Device 50 Information Processing System

Japanese Patent No. 6375877

Claims (13)

A computer system having an information processing system that authenticates a user by one of a plurality of login methods, and a terminal device that requests user authentication from the information processing system,
The terminal device
a processing control unit that determines a login method according to a login method used in the past and stores the login method used in the past in an information storage unit ;
a display control unit that displays a login screen corresponding to the login method determined by the processing control unit ;
The terminal device acquires from the information processing system screen information of a login screen corresponding to one or more login methods permitted by a tenant to which the user belongs,
If the login method used in the past is not saved in the information storage unit,
The computer system , wherein the display control unit displays a login screen corresponding to the login method acquired from the information processing system . 2. The computer system according to claim 1, wherein the login method stored in the information storage unit is determined as the login method used by the user. The user belongs to a tenant where the service is provided, and one or more login methods permitted by the tenant are registered in the tenant,
The information processing system includes a user information management unit that identifies a tenant to which a user belongs based on user identification information transmitted from the terminal device;
a tenant information management unit that acquires one or more login methods permitted by the tenant specified by the user information management unit;
The terminal device acquires from the information processing system screen information of a login screen corresponding to one or more login methods permitted by a tenant to which the user belongs,
3. The computer system according to claim 1, wherein the display control unit displays a login screen corresponding to the login method determined by the processing control unit among the login screens acquired from the information processing system. . If the login method used in the past is not saved in the information storage unit and there are multiple login methods acquired from the information processing system,
2. The computer system according to claim 1 , wherein said display control unit displays a login screen allowing login by a plurality of login methods. If the login method used by the user on the login screen is not included in the login methods acquired from the information processing system,
3. The computer system according to claim 2, wherein said processing control unit stores the login method acquired from said information processing system in said information storage unit. If the login method used by the user on the login screen is not included in the login methods acquired from the information processing system,
The processing control unit requests the information processing system to log out the logged-in user,
6. The computer system according to claim 5 , wherein the display control unit displays the login screen corresponding to the login method saved in the information storage unit. If the login method used by the user on the login screen is included in the login method acquired from the information processing system,
3. The computer system according to claim 2, wherein said processing control unit stores the login method used by said user in said information storage unit. If the login method used in the past is not saved in the information storage unit,
The processing control unit designates identification information of the user and acquires the role of the user from the information processing system,
5. The computer system according to claim 4, wherein said login screen is determined according to said user's role. If the user's role is administrator,
9. The computer system according to claim 8 , wherein said processing control unit stores all login methods that can be set in said information processing system in said information storage unit. If the user's role is administrator,
The processing control unit determines a login method that provides a user with all login methods that can be set in the information processing system,
9. The computer system according to claim 8 , wherein said display control unit displays a login screen allowing login by all login methods that can be set in said information processing system. The login method used by the user on the login screen is not included in the login method acquired from the information processing system, and the processing control unit stores the login method acquired from the information processing system in the information storage unit. and if
If the account information required for the login method saved in the information storage unit is not registered in the information processing system,
The display control unit displays a screen for accepting input of the account information required for the login method,
6. The computer system according to claim 5 , wherein said processing control unit registers account information necessary for said login method input from said screen in said information processing system. A login screen display method performed by a computer system having an information processing system that authenticates a user by one of a plurality of login methods, and a terminal device that requests the information processing system to authenticate the user,
The terminal device
a step in which the processing control unit determines a login method according to a login method used in the past , and stores the login method used in the past in an information storage unit ;
displaying a login screen corresponding to the login method determined by the processing control unit;
has
The terminal device acquires from the information processing system screen information of a login screen corresponding to one or more login methods permitted by a tenant to which the user belongs,
If the login method used in the past is not saved in the information storage unit,
A login screen display method, comprising : displaying a login screen corresponding to a login method acquired from the information processing system . A terminal device that requests user authentication for an information processing system that authenticates a user by one of a plurality of login methods,
a processing control unit that determines a login method according to a login method used in the past and stores the login method used in the past in an information storage unit ;
functioning as a display control unit that displays a login screen corresponding to the login method determined by the processing control unit,
The terminal device acquires from the information processing system screen information of a login screen corresponding to one or more login methods permitted by a tenant to which the user belongs,
If the login method used in the past is not saved in the information storage unit,
A program for causing the display control unit to display a login screen corresponding to the login method acquired from the information processing system .

Images